I had the same problem with all of my browsers: IE, Firefox, and Chrome. Ads would rise up in the lower left and lower right hand corners of my browser window (box or cellphone shape) on random sites. I scanned my computer unsuccessfully with malwarebytes (free), microsoft malicious software removal tool (free), and mcafee (enterprise). nothing was detected and it was maddening. I also recently scanned with Microsoft Security essentials (free).
For online resolutions: I read that combofix.exe works in a malwarebytes forum, however this program requires you to disable security scanners before running, and I am unable to do that on my laptop. I also read several scans to try on bleepingcomputer; I tried several already (listed in first paragraph) so I jumped to RogueKiller (which worked for the user posting there). This scanner notified me that my host file was redirecting google-analytics. it attempted to resolve, but it didn't maintain its fix after a reboot (ie. ads kept rising up; another scan shows host file still corrupted**).
For an interim work around: I blocked access to google-analytics.com on my router and the ads went away. I originally found this by trial and error using chrome's inspect element. Other sites I am still blocking but only removed the internal ad and not the ad box/cellphone itself are:
bluekai.com, edgesuite.net, find-allyouneed.com, fwmrm.net, xtendmedia.com, yieldmanager.com; because of the RougueKiller scan**, I have also added statcounter.com and doubleclick.net
My ultimate solution: I found another resource on an independent website: jaysonjc.com that had the identical problem as I describe. Exactly as he describes his symptoms, it turns out that my host file was hidden and read only with the dns redirects listed below (additional detail in the website I reference). Although he resolved with a login as administrator and an edit of his host file (which would work), I did the following as a user with admin privileges:
- In the parent directory C:\Windows\System32\drivers\ I renamed
.\etc to .\etc2
- I created a new .\etc directory in the parent
- I copied the visible contents from .\etc2 to the new .\etc (i.e.
don't copy the hidden host file!)
- I created a new hosts file (in my case, I used the stranded
hosts.txt that was sitting in there; be sure to remove the .txt file
extension).
I then rebooted and scanned using RogueKiller. End result: no more dns redirects detected. Please note: you may have this symptom as well, however this is somehow caused by something that resides on your system (simda, adware, etc; see the jaysonjc.com website I reference above). I just don't recall ever seeing any detection. Regardless, I would suggest some of the scans I list in the first paragraph... get whatever it is off of your pc, then remove the entries from your hidden host file.
Seems simple now, but it took a while. I hope this helps. good luck.
** for additional reference, here are the entries in my host file that would not go away according to RougueKiller (FYI: I do not see these when editing the hosts file in notepad):
64.46.36.178 www.google-analytics.com.
64.46.36.178 ad-emea.doubleclick.net.
64.46.36.178 www.statcounter.com.
64.27.10.42 www.google-analytics.com.
64.27.10.42 ad-emea.doubleclick.net.
64.27.10.42 www.statcounter.com.
I ran ComboFix and found some entries in startup that I hadn't seen before: c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\windows\SysWOW64\ezSharedSvcHost.exe
ezSharedSvcHost.exe does not have a company or verified signature in process explorer. I renamed ezSharedSvcHost.exe to ezSharedSvcHost.exe.hide and then created a dummy ezSharedSvcHost.exe and marked it read only
This seems to get rid of the popup in the lower right hand corder of the browser and he browser redirect. – BrianK – 2012-10-06T13:20:16.510